locked
Single Sign-On with no on-prem servers RRS feed

  • Question

  • I work for a small business of around 50 users and have recently completed a project to move away from an on-premesis SBS 2003 Exchange server to Office 365 Exchange online. The migration went really well and I have no real problems other than the fact that we use single sign on so if we have a problem with the federation servers or our office internet connection goes down which happens quite a lot, we then cannot authenticate \ sign in to retrieve our emails. This is really frustrating as one of the reasons we moved to Exchange online was the fact that we have so many issues with the connection into the office.

    I am really just putting the word out on this to see if there are options that I haven't thought about \ or know about. One solution to this that I have been contemplating is using Azure Virtual machines and creating a domain controller on there with a couple of federation servers and then linking this back to the office via an Endpoint to the primary domain controller in the office. I am not sure if this would work though?

    The other option is that we don't use single sign on, which I'm not really sure how we switch to from what we are using at the minute? I cant afford to lose the users emails that are currently stored against their exchange online accounts.

    Any replies to this would be greatly appreciated.

    Sunday, May 26, 2013 5:29 PM

All replies

  • At this point in time, availability and reliability of ADFS/SSO is up to the organization. There isn't really any magical solution, sadly. Using a VM in Azure could certainly work. From an availability perspective you'd need to figure out what kind of infrastructure is required for ADFS, but it can work quite well. Another option, which isn't necessarily supported, is to switch to a cloud provider for SSO.

    Switching from SSO to standard passwords is fairly straightforward -- just a couple PowerShell commands. There isn't much downtime, besides the time it takes for users to switch passwords, and no data is lost.


    Developer Security MVP | www.syfuhs.net

    Monday, May 27, 2013 7:23 PM
  • OK thanks, my concern in switching to standard passwords is that this wouldn't work with a custom domain? i.e. all users email addresses would then be user @MyBusiness.onmicrosoft.com rather than user @MyBusiness.com 

    Tuesday, May 28, 2013 12:57 PM
  • Why wouldn't a custom domain work? You can't mix and match user auth within a domain, but you can switch auth types on a domain. E.g. switching all users in mybusiness.com to standard passwords, or switching to federation.

    Developer Security MVP | www.syfuhs.net

    Tuesday, May 28, 2013 4:28 PM
  • How would security and distribution groups with email addresses attached to them work if I switched all accounts to standard Auth. Would I lose the ability to use these? Or would management of them be carried on through the Office365 management portal?
    Thursday, August 1, 2013 8:48 AM
  • AFAIK you would still be able to use everything normally. The only change is how a user proves they are who they say they are. You would still have DirSync in place keeping things connected in all the right ways.

    Developer Security MVP | www.syfuhs.net

    Thursday, August 1, 2013 4:11 PM